The 2026 World Cup is expected to bring not only a global soccer celebration, but also a surge in cyberattacks and online fraud attempts, a senior cybersecurity expert warned.
Ofir Zilbiger, head of cybersecurity for EMEA at BDO, said major sporting events typically see a 30% to 40% increase in fraud attempts, and the World Cup could see an even sharper rise because of growing geopolitical tensions between the United States and Iran.
Zilbiger said the threats are expected to target both national infrastructure and the public. On the state level, he said hackers, particularly those linked to Iran, are likely to focus on airports, transportation systems and critical infrastructure in an effort to disrupt operations and create chaos.
Expected attack methods include ransomware, DDoS attacks against official and ticketing websites and influence campaigns aimed at shaping public opinion. Zilbiger said the growing availability of artificial intelligence tools could make attacks more sophisticated, including by helping hackers exploit third-party vulnerabilities to penetrate secure systems.
The public is also facing rising risks, he said, with fraud and impersonation scams already increasing by tens of percent. Many use AI to closely mimic legitimate websites and services.
Zilbiger said Iranian hackers are behind a significant share of the activity, with many attacks targeting citizens from Israel amid ongoing tensions. The scams include fake ticket sales, fraudulent travel packages and attempts to steal credit card details. Fake apps claiming to offer free live streams of World Cup matches are also circulating and may install malware or surveillance tools.
“Cybersecurity technologies today are more advanced than ever, but ultimately, especially for the public, there is no substitute for simple, everyday precautions,” Zilbiger said.
He urged fans to avoid clicking unfamiliar links, refrain from entering credit card information on unverified websites and independently check whether text messages or emails are authentic.
“In most cases, a quick phone call or a brief check on the company’s official website can prevent significant damage,” he said.